Securing Democracy in the Digital Age: Overview of Cybersecurity Challenges in Electronic Election Systems

We are all familiar with the conventional election procedure, which is a paper-based process where the voters cast their votes using paper ballots, which are manually counted by election officials. We have been hearing about electronic voting systems for the past two decades. Electronic Voting Systems, where there is the use of Digital Ballots and a system that promises to provide Improved Efficiency in terms of streamlining the voting process, reducing waiting times, and enhancing the overall efficiency of elections, also promise Accessibility and inclusion for individuals with physical disabilities or mobility issues to participate more easily in the electoral process. It vows to offer faster results, Enhanced Accuracy, Flexibility (different election types, from national elections to local referendums), a deterrent to fraud, and Cost Savings. Raising concerns about the modern and digital age and the involvement of electronic and digitalization in election processes is no doubt one of the major concerns raised by the number of people who can be election experts, vote casters, and candidates contesting the elections.

The transition from a traditional paper-based system to an electronic system raises questions about the cybersecurity of the electoral process.

The integrity and confidentiality of the voting process have been questioned by many due to concerns about potential cyber threats and vulnerabilities in electronic voting systems.

Vulnerabilities can expose the system to hacking, data breaches, and the potential manipulation of votes or voter information. Moreover, the reliance on technology introduces a new dimension of risk, as technical malfunctions or software errors could lead to inaccuracies in the vote count or system failures.

Transparency and verifiability of electronic voting systems are other concerns normally raised. In traditional elections, the physical paper ballots provide a tangible and auditable record of the votes cast. In contrast, some electronic voting systems lack a Voter-Verified Audit Trails (VVPAT), making it challenging to conduct post-election audits and independently verify the accuracy of results.

Electronic voting systems’ usability can have both benefits and drawbacks. While it intends to increase voting accessibility for people with impairments and others who live in remote locations, it may accidentally exclude some groups of the population who are not tech-savvy or lack access to electronic equipment.

Despite these concerns, proponents of electronic voting systems claim that with adequate cybersecurity measures in place and rigorous testing, an electoral system that is cyber-secure can mitigate these risks and ensure the integrity of the voting procedure. Building public confidence in the electronic voting system is possible through the implementation of strong encryption, authentication mechanisms, and security audits.

While there may be efficiency and accessibility advantages to electronic voting systems, it is critical to address cybersecurity and transparency issues to ensure a trustworthy and reliable electoral process. The effective introduction of electronic voting systems depends on finding the correct balance between embracing technological improvements and defending the democratic values of free and fair elections.

Use of E-Voting Around the World

According to the statistics shown by International IDEA (International Institute for Democracy and Electoral Assistance) in the figure below, e-voting is currently employed in 19% of countries (34 out of 178) at the national and/or sub-national levels.

An additional 15% of countries have conducted feasibility studies or tests, considering the implementation of e-voting in future elections. However, it’s crucial to acknowledge that 6% of countries (11 in total) have abandoned e-voting due to concerns surrounding the trust and security of the voting process. (International IDEA )

Use of Internet voting

Internet voting is gaining global momentum, and it’s commendable to witness Pakistan among the 14 countries embracing this modern approach to voting.

With the growing adoption of e-voting and internet voting, the emergence of cyber threats becomes a critical concern. Understanding and effectively mitigating these threats have become imperative tasks and top priorities.

The standpoint of Cybersecurity in Electronic Voting and Election Security

Cybersecurity threats to electronic voting systems are not only a threat to these systems but also to national democracy.

Cyber threats to democracy are an increasing global concern for government organizations, elected officials, and election campaigns as electronic voting methods become more widely used. Many technologies that are targeted by attackers must be protected during the election process. To effectively defend democracies and elections from influence, disruption, and compromise, it is necessary to secure election campaigns, election administration, and election systems. This protection must include third-party and supply-chain compromise assessments and mitigation measures. (Mandiant )

Cyberthreat activities Targets

1. Election Campaigns

2. Election Administrators

3. Election Systems

Types of Cyberthreats to Election Security:

1. Spreading of disinformation on social media platforms and messaging services:

In order to propagate false or misleading information about candidates, political parties, or the electoral process, malicious actors may use social media platforms and messaging services. Disinformation campaigns may involve the spread of false information, twisted facts, deceptive pictures or films, and misinformation with the intention of fooling voters and influencing public opinion. These activities may influence voter behavior and election results by creating doubt, creating conflict, and creating confusion about the political process. Social media is a platform where disinformation may spread quickly and widely; therefore, recognizing and combating these threats presents major challenges for election security. (Source:?Mandiant )

2. Cyber espionage, spearphishing, and social engineering of political campaigns, election administrators, and other influencers:

This sort of threat involves sophisticated adversaries using a variety of cyber-tactical tactics to target and compromise significant individuals and entities in the electoral process. Cyber-threat adversaries may carry out stealthy operations to gain unauthorized access to sensitive information, which may include political campaigns, election administrators, or other influential figures. Adversaries may intrude on networks, databases, or communications to obtain valuable data that can be used to influence or disrupt the election process.

Adversaries may carry out spearphishing and social engineering campaigns to target and deceive specific individuals within political campaigns, election authorities, or influential personalities by using personalized email or electronic communication. As the phishing emails could appear authentic, it could lead the receivers to click on malicious links and disclose sensitive data like credentials to access critical systems. (Source: Various, including?Mandiant )

3. Disinformation campaigns using stolen data, fabricated content, or compromised access:

Adversaries may use fake content, stolen data, or compromised access in their disinformation campaigns. They may disseminate misleading information in an effort to mislead voters, influence public opinion, and compromise the credibility of the political process. In order to preserve the integrity of electronic election systems against these dangers, it is necessary to implement and adopt strong cybersecurity security measures, media literacy initiatives, and open communication channels. To secure the validity and fairness of elections in the digital age, collaboration between cybersecurity and tech companies, governments, and civil society is essential. (Source: Various, including?Mandiant )

4. Attacks on critical election infrastructure to tamper with or alter votes:

In order to tamper with or alter votes and compromise the integrity of the electoral process, adversaries may target essential components of the election infrastructure. (Source: Various, including?Mandiant )

• Electronic Voting Machines:?Adversaries may attempt to compromise electronic voting machines to manipulate or disrupt the voting process, change vote tallies, or change candidate selections.

• Voter Registration Databases:?Adversaries may attempt to target voter registration databases; it may also allow adversaries to modify voter records, potentially leading to voter deprivation or causing confusion and chaos during the voting process.
• Vote-Tabulating Systems: Adversaries may tamper with vote-tabulating systems, which could result in inaccurate or manipulated vote counts, influencing election outcomes.
• Election Websites and Communication Channels:?Adversaries may target election websites or communication channels in an effort to spread false information, confuse voters, or obstruct access to voter information.
• Power and Communication Infrastructure:?Adversaries may also disrupt the power supply or communication networks that support election systems, which can cause widespread disruption and hinder voting operations.

5. General cyberattacks on the electoral process:

The electoral process might be a random target of DoS/DDoS attacks, defacement of websites, manipulation of the website content, criminally or financially motivated generic hacking, and exploiting a lack of cyber hygiene, e.g., brute-forcing weak credentials, unauthorized access, phishing, and spearphishing. (Source: Sam van der Staak et al., Cybersecurity in Elections)

6. Targeted Cyberattacks on the Electoral Process:

Targeted cyberattacks on the electoral process may include Zero-day exploits, social engineering, phishing, access to and manipulation of election data, compromising election technology, and possessing insider attack threats as well. (Source: Sam van der Staak et al., Cybersecurity in Elections)

Adversaries that can negatively impact the integrity of elections

1. Politically motivated:?(Source:?Sam van der Staak et al., Cybersecurity in Elections)

• Foreign national states
• Domestic political actors
• Hacktivists
• Terrorists

2. Not politically motivated:?(Source:?Sam van der Staak et al., Cybersecurity in Elections)

• Organized crime
• Financially motivated criminals
• Individuals

Standards: Election Technology and Cyber Security

1. Universal Declaration on Human Rights (Article 21):

Everyone has the right to take part in the government of his country, directly or through freely chosen representatives. Everyone has the right of equal access to public service in his country. The will of the people shall be the basis of the authority of government; this will shall be expressed in periodic and genuine elections, which shall be by universal and equal suffrage and shall be held by secret vote or by equivalent free voting procedures. (Source:?The United Nations )

2. ICCPR (Article 25):

Every citizen shall have the right and the opportunity, without any of the distinctions mentioned in article 2 and without unreasonable restrictions:

(a) To take part in the conduct of public affairs, directly or through freely chosen representatives;

(b) To vote and to be elected at genuine periodic elections which shall be by universal and equal suffrage and shall be held by secret ballot, guaranteeing the free expression of the will of the electors;

(c) To have access, on general terms of equality, to public service in his country. (Source:?The United Nations — ICCPR )

3. Council of Europe e-voting standards (2017):

Section VIII of Recommendation CM/Rec (2017) 51 of the Committee of Ministers to Member States on standards for e-voting (Source:?Council of Europe )

4. Open Government Declaration (September 2011) (Source:?Open Government Partnership )

5. Guidelines for the Regulation of Computerized Personnel Data Files: Resolution or Adoption by the General Assembly

Adopts the guidelines for the regulation of computerized personal data files in their revised version; requests Governments to take into account those guidelines in their legislation and administrative regulations; requests governmental, intergovernmental and non-governmental organizations to respect those guidelines in carrying out the activities within their field of competence. (Source:?The United Nations )

6. UN Privacy and Data Protection Principles (2016)

These principles (the “Principles”) set out a basic framework for the processing of “personal data”, which is defined as information relating to an identified or identifiable natural person (“data subject”), by, or on behalf of, the United Nations System Organizations in carrying out their mandated activities. (Source:?UN System Chief Executives Board for Coordination )

Election-Related Threat Activity Examples

1. Pakistan (2013): Unknown Asian and Russian hackers attacked the Election Commission of Pakistan website and sever; later, the website and servers were deliberately shut down as a tactic to avoid any further attack or damage. (Source:?Hackeread )
2. Philippines (March 2016): “Anonymous Philippines,” a group of threat actors, defaced the Philippines Commission on Elections (COMELEC) website and leaked 340 GB of legitimate data. (Source:?Mandiant )
3. United States (June 2016): In mid-2015, two Russia-affiliated groups, namely APT28 and APT29, successfully breached a server belonging to the Democratic National Committee (DNC) and continued to have access to it until at least June 2016. Additionally, there are suspicions that the Russian threat actor known as the Sandworm Team was involved in targeting the election infrastructure of several states. In a separate observation, we discovered a wide-reaching network of social media accounts exploiting the material from the DNC leaks to disseminate various false and misleading narratives. These activities align with the well-known tactics, techniques, and procedures (TTPs) typically associated with the Russian Internet Research Agency (IRA). (Source:?Mandiant )
4. France (May 2017): A suspected team named “Sandworm Team” targeted French President Macron’s “La République En Marche” party. (Source:?Mandiant )
5. Kenya (August 2017): Multiple fake news websites were discovered mimicking legitimate Kenyan and international news websites, some seemingly coordinated to damage an opposition party candidate’s reputation. (Source:?Mandiant )
6. Russia (November 2017): Numerous concerted anti-opposition messages were observed in various IRA-linked YouTube videos, the Russian social media platform VK, and Russian blogs. (Source:?Mandiant )
7. Catalonia (December 2017): A Spanish hacktivist group #OpCatalunya claimed unauthorized access to “iPARTICIPA,” the cloud-hosted system of the administrator handling electronic voting in Catalonian elections. (Source:?Mandiant )
8. Pakistan (January 2018): The Pakistan Tehreek-e-Insaf (PTI) official website was targeted by hackers who defaced the website and posted offensive content. (Source:?DailyTimes )
9. Honduras (January 2018): Hacktivists affiliated with Anonymous initiated the #OpHonduras campaign to express their protest in response to the inauguration of Honduran President Juan Orlando Hernández. (Source:?Mandiant )
10. Malaysia (March 2018): Suspected Chinese threat actors utilized a series of lure documents associated with the Malaysian election to target multiple government agencies. (Source:?Mandiant )
11. Pakistan (June 2018): A story was circulating where the National Database and Registration Authority (NADRA) was being accused of leaking voter data to outsiders, fearing a potential threat to the Computerized Electoral Rolls System (CERS). Later, NADRA rejected the Election Commission of Pakistan’s (ECP) accusation of breaching voters’ data. (Source:?The Nation )
12. Cambodia (June 2018): APT40 compromised the website of Cambodia’s National Election Commission using AIRBREAK malware. (Source:?Mandiant )
13. Mexico (July 2018): Numerous websites and Facebook groups have been identified as spreading fabricated content both in support of and against various presidential candidates. (Source:?Mandiant )
14. Hong Kong (October 2018): Chinese cyber espionage actors employed the EVILNEST malware as part of a targeted campaign aimed at entities in Hong Kong. (Source:?Mandiant )
15. Taiwan (November 2018): Taiwanese government entities faced a targeted cyber attack by suspected Chinese threat actors, who employed election-themed lures and utilized TAIDOOR malware. (Source:?Mandiant )
16. United States (November 2018): A network of English-language social media accounts, seemingly affiliated with actors supporting Iranian interests, was uncovered, featuring several Twitter accounts impersonating U.S. Republican congressional candidates. (Source:?Mandiant )
17. Unnamed European Country (2019): Unknown threat actors executed spear-phishing attacks against an election administrator and a media organization. (Source:?Mandiant )
18. United States (2020): An Iranian information operations campaign involved impersonating the “Proud Boys” organization and conducting a mass email campaign aimed at threatening U.S. voters. (Source:?Mandiant )

Pakistan’s Political Stance on Electronic Voting Systems

The adoption of Electronic Voting Systems (EVS) has been a subject of significant debate and controversy in Pakistan’s political landscape. Various political parties and stakeholders have expressed diverse opinions on the implementation of electronic voting technology in the country’s electoral process. The stance of Pakistani politicians can be broadly categorized into two main groups: proponents and skeptics.

Proponents:

1. Emphasizing Transparency: Some political parties in Pakistan advocate for the introduction of EVS as a means to enhance transparency in the electoral process. They believe that electronic voting technology can minimize human interference and manipulation, leading to fairer elections with more accurate vote counts.
2. Efficiency and Speed: Proponents argue that electronic voting systems can expedite the voting process, resulting in faster and more efficient elections. By reducing long queues and waiting times at polling stations, they hope to encourage higher voter turnout.
3. Appeal to Younger Voters: Certain political factions see EVS as a way to connect with younger voters who are more tech-savvy. They believe that embracing digital voting methods would attract the youth and increase their participation in the democratic process.
4. Potential to Curb Election Fraud: Supporters of EVS maintain that digital records and biometric verification can help prevent multiple voting and impersonation, contributing to a more secure electoral environment.

Skeptics:

1. Cybersecurity Concerns: One of the primary concerns raised by skeptics is the vulnerability of electronic voting systems to cyberattacks and hacking. They fear that malicious actors could compromise the integrity of the entire electoral process, undermining the democratic principles of free and fair elections.
2. Technological Challenges: Some political parties express doubts about Pakistan's readiness to implement EVS on a large scale. Given the country's diverse geographical and infrastructural challenges, they question the feasibility of ensuring uniform access and reliability of electronic voting technology across all regions.
3. Trust and Familiarity: Skeptics argue that traditional paper-based voting has been ingrained in the minds of the electorate for decades, and shifting to electronic voting might lead to a lack of confidence and trust in the new system.
4. Cost and Resources: Implementing and maintaining electronic voting systems can be costly. Skeptics raise concerns about the financial burden of introducing EVS, especially in a country facing economic challenges.

Pakistan’s political landscape reflects a wide range of perspectives on the adoption of Electronic Voting Systems. While some political parties advocate for the potential benefits of increased transparency, efficiency, and appeal to young voters, others remain cautious due to concerns related to cybersecurity, technological readiness, voter trust, and the financial implications. As the nation continues to debate the merits and drawbacks of electronic voting technology, it is essential to strike a balance that upholds the democratic process’s integrity while leveraging advancements in technology to facilitate fair and accessible elections.

Ensuring Cybersecurity in Electronic Voting Systems

In the digital age, electronic voting systems can hold the promise of revolutionizing the way we conduct, contest, and participate in elections. Such systems offer greater efficiency, accessibility, and convenience to voters and election administrators alike. However, along with these advantages, electronic voting systems also pose a number of significant cybersecurity challenges. To ensure the integrity of the electoral process and maintain public trust, it is crucial to enhance cybersecurity in electronic voting systems. Here are some key measures that can be taken to achieve this goal.

1. Implementing Strong Encryption and Authentication Mechanisms:

Strong encryption and authentication techniques are crucial components of protecting electronic voting systems from cyber threats. Encryption will ensure that the data transmitted and stored in electronic voting systems remain secure and unreadable to unauthorized parties. This should also involve converting the information into an encrypted form that can only be decrypted with the appropriate cryptographic key. With the implementation of end-to-end encryption, the integrity and confidentiality of votes and voter data can be preserved, reducing the risk of data breaches or tampering. (Source: M. Bishop, Addison-Wesley Professional, 2004.)

Authentication mechanisms are also crucial for verifying the identity of users accessing electronic voting systems. A robust authentication protocol, such as multi-factor authentication (MFA), biometrics, or digital signatures, helps ensure that only legitimate users can participate in the voting process. By mitigating unauthorized access and potential impersonation, these mechanisms strengthen the overall security posture of electronic voting systems. (Source: M. Bishop, Addison-Wesley Professional, 2004.)

2. Voter-Verified Paper Audit Trails (VVPAT):

Voter-Verified Paper Audit Trails (VVPAT) adoption is crucial to address concerns regarding transparency and verifiability. By delivering a paper receipt or ballot that they can see before casting their vote, the VVPAT system enables voters to confirm that their electronic vote has been accurately recorded. An additional layer of security and confidence can be added to the voting process by using these paper trails for post-election audits to independently check the correctness of electronic vote tallies. (Source: Various, including?The Quint World )

3. Regular Security Audits and Penetration Testing:

To assess and find gaps and vulnerabilities, electronic voting systems must undergo regular, thorough security audits. Penetration testing should be carried out by independent security specialists to simulate cyberattacks and evaluate the system’s resilience. Any vulnerabilities found should be immediately fixed to avoid potential exploitation by threat actors.

4. Continuous and Vigilant Monitoring and Intrusion Detection:

Electronic voting systems are continuously and vigilantly monitored, allowing for real-time detection of any suspicious activity or unauthorized entry attempts. By putting intrusion detection systems (IDS) in place, possible cyber threats can be quickly identified and addressed. To effectively lessen the effects of any security breaches, incident response strategies and automated alerts should be in place.

5. Securing the Supply Chain:

Electronic voting systems’ entire supply chain, from hardware parts to software development, must be protected against potential threats. During the production or distribution stages, adversaries may attempt to introduce malicious code into software or hardware. To ensure the integrity of the parts used in electronic voting systems, strict verification procedures and oversight are essential.

6. Educating and raising awareness among Voters, Contestants, and Election Administrators:

Campaigns to raise awareness and promote education are essential for increasing the security of electronic voting systems. Voters should be educated on secure voting procedures, how to spot fake news, and how to report suspicious activity. Candidates for elections should be aware of how fair and trustworthy the electronic voting process is. Election officials should take cybersecurity training to understand the possible risks and take the appropriate security measures.

7. Redundancy and Contingency Planning:

Electronic voting systems should include built-in redundancy and backup mechanisms to ensure the continuity of the voting process in the event of system failures or cyberattacks. Contingency plans for electronic voting systems should be established to handle any potential disruptions and be able to quickly restore the integrity of the electoral process.

8. Collaboration between Governments, Cybersecurity Experts, Tech Companies, and Civil Society:

In order to overcome the complicated cybersecurity concerns in electronic voting systems, a coordinated strategy involving governments, tech corporations, cybersecurity experts, and civil society is essential. Governments should adopt strict cybersecurity regulations and standards, working with well-known cybersecurity experts, and tech companies should give security a top priority when designing and developing voting systems. Organizations in civil society can participate by promoting electoral accountability and openness.

The future of Electronic Voting Systems in Pakistan holds the potential to transform the electoral process for the better, offering increased efficiency, accuracy, and accessibility. However, to ensure a successful transition, addressing cybersecurity challenges is of paramount importance. By implementing robust security measures, conducting regular audits, and building public trust through awareness campaigns, Pakistan can embrace EVS while safeguarding the integrity of its democratic processes. A well-designed and secure EVS can play a pivotal role in strengthening democracy, empowering citizens, and upholding the fundamental principles of free and fair elections.